Steam ramps up security: 77000 accounts a month hijacked

77,000 Steam accounts get hijacked every month, so Valve’s getting tough with traders.

Steam has introduced a couple of new security measures on trading. “It’s a losing battle to protect your items against someone who steals them for a living”. ‘Once again, we’re fully aware that this is a tradeoff with the potential for a large impact on trading.

And these aren’t just accounts belonging to new or naive users — they’re professional gamers, Reddit users, and item traders, according to a recent Steam blog post. It would be easier for them to go after the users who don’t understand how to stay secure online, but the prevalence of items make it worthwhile to target everyone. While the items can be returned and the account details reset, it’s a pain for everyone involved and for Valve, means devaluing the economy by creating duplicate items. “This might be fairly minor for common items, but for rare items this had the potential to significantly increase the number in existence”. Valve says that hacking is more widespread now that most users are involved in Steam’s virtual economy in some way, holding virtual items and trading cards that can be traded or sold (for Steam Wallet funds or even real money). Two-step authentication using the platform’s Steam Guard Mobile Authenticator came in April, prompting users to confirm their identity when logging in on a new machine or from a new location with their mobile phone.

Valve didn’t share any financial details around these cybercrimes, but it did say that “enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers.” A recent report claimed that hackers cost companies around $400 billion globally every year. So by introducing a waiting period, it might discourage hackers and give players more time to recover their account. “Many don’t believe that they are actually a worthwhile target for a hacker who’s out to make money”. Users that have two-factor authentication enabled will be exempt from this restriction, since their accounts are theoretically safe from most hacking attempts. “So what if instead of trying to prevent hackers from being able to steal a Steam account that hasn’t enabled two-factor authentication, we tried removing their ability to profit from the theft”, Valve writes.

Previously, trades of items such as trading cards and in-game goods between Steam account holders were instant once each party had agreed to the swap. They go on to say, We needed to create our own two-factor authenticator because we need to show users the contents of the trade on a separate device and have them confirm it there. Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn’t intend to. Valve realizes that this change will likely have a big impact on an item-trading community, which is used to the convenience of instant trades, but it says “this is one of those times where we feel like we’re forced to insert a step or shut it all down.” “Asking users to enter a password to log into their account isn’t something we spend much time thinking about today, but it’s much the same principle — a security cost we pay to ensure the system is able to function,” says Valve. “We’ve done our best to make the cost as small as possible, for as few people as possible, while still retaining its effectiveness.”